Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Palyh Worm Crawls On

UPDATE: The Palyh worm was showing some signs of running out of steam late Wednesday.

The Palyh worm was showing some signs of running out of steam late Wednesday, as security vendors reported seeing fewer copies than they had earlier in the week.

At its peak on Monday, nearly one in every 200 e-mails contained a copy of Palyh, according to statistics compiled by MessageLabs Inc., an e-mail security vendor based in New York. The company stopped about 65,000 copies of the worm Monday, but that number dropped to around 55,000 Tuesday and fell even further to a little more than 30,000 so far Wenesday. And Palyh hasnt come close to approaching the level of activity of its immediate predecessor, Fizzer. MessageLabs reports seeing more than 402,000 copies of Fizzer thus far in May, compared to about 162,000 total copies of Palyh.

"Any e-mail arriving from an address like support@microsoft.com containing an attachment should look like a huge billboard reading I am a virus to every computer user," said Ian Hameroff, security strategist at Computer Associates International Inc., in Islandia, N.Y. "We all need to be wary of anything that arrives unexpectingly and includes executable attachments because virus creators will continue to use social engineering tactics for as long as they work. This worm will have its greatest impact in the home computer space since most, if not all, enterprises employ a policy of blocking attachments types like .PIF."

Further reading

Palyh shares many of the same characteristics of the Sobig virus that has been around for several months. It is written in the same language and packed with the same program as Sobig, according to an analysis by McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif. The e-mail borne worm arrives in an executable attachment to a message with a random subject line. The return address on the message is also randomized, with many copies of the worm appearing to come from support@microsoft.com. The subject lines include:

Palyh apparently first hit the Internet on Saturday, with most of the activity in Asia at that point. It began spreading rapidly Sunday and continued to pick up momentum Monday morning. MessageLabs Inc., an e-mail security company based in New York, has seen more than 26,000 copies of the worm, with about 20,000 of those having shown up Monday.

Once executed on a target machine, Palyh copies itself to the registry and the startup routine and then begins looking for open network shares. Some security vendors say that it also attempts to connect to a remote Web site and may attempt to download some malicious code. This behavior is very similar to that of many of the recent network-aware worms, including last weeks star, Fizzer.

Palyh then begins extracting e-mail addresses from various locations on the infected machine and mails itself to every address it finds.